According to Hawker (151), IT Security and Control include physical, logical, and administrative measures organizations put in place to ensure data integrity, confidentiality, and availability to authorized users. Information system avail data to authorized users through validation and verification procedures.
These procedures are defined an organization’s information system policies. In addition, data integrity standards should be enforced when data is being transmitted to prevent it from unauthorized access, intentional or accidental modifications, and malicious damage.
Comprehensive approaches subject organizations’ information systems to regular security checks and system audits (Peltier 2). Regular system audits ensure that responsible organizational managers are able to track users and establish potential threats and sources of malicious attacks, unauthorized access, eavesdropping, and other security-related measures. These measures are implemented within and outside organizational boundaries.
Organizations benefit from IT Security and Controls by integrating and aligning them to organizational goals and objectives. Peltier (1) argues that organizations have defined standards, policies, and procedures for implementing security measures and controls to prevent data loss or damage. Information can be sold or mined to enable radical decisions to be made.
Peltier (2) argues that users should form informed decisions on system usage when login sessions commence and should be made aware that they are being monitored.
Peltier (11) asserts that security and control measures such as firewalls implemented at different levels, risk analysis, encryption of data using different techniques, e-mail and other communication policies ensure that organizational information is kept confidential and made available only to the intended parties. Firewalls filter outgoing and incoming data to ensure no corrupt data, malicious software or computer programs accesses an organization’s information system.
Organizations impose administrative controls on data, which is a valued asset, at different levels to ensure accountability and responsibility for system users. This may include passwords verifications and access rights’ mechanisms. Data integrity is maintained organization-wise.
Logical controls ensure firewall protection for outbound and inbound data. An organization may not be at risk of loosing sensitive information to the outside when software is installed to control access to information in addition to implementation of access privileges to system users.
Organizations benefit from the use of physical controls by enforcing policies such as the use of cameras and clear definition of duties. Thus organizational activities are monitored to avoid potential incidents and threats to data corruption, espionage, and damage.
Information is a valuable asset to any organization. It should be managed well. Gertz, Guldentops, and Strous (27) asserts that the movement of traffic in both directions enables a system performance evaluator to determine the vulnerability of system components and controls.
Such performance measures can also be evaluated against the policies and objectives of an organization. Deviations from established benchmarks determine the degree to which performance of the information security controls are effective (Gertz, Guldentops, and Strous 57).
Other measures include the use of software tools to evaluate performance standards of networked computer systems in addition to conducting tests to evaluate effectiveness of system security. A performance evaluation plan is developed by an organization and tests conducted against benchmarks to identify security loopholes.
Information security and controls are embedded in an organization’s culture at personal and organizational levels. Tests should be consistent with organizational management security control goals and objectives (Gallegos, Senft, Manson, Daniel and Gonzales, 124). Gertz, Guldentops and Strous (101) argue that data integrity should be consistently maintained in line with an organization’s information security policies. These could ensure that the quality of data remains consistent with overall organizational requirements.
Gertz, Guldentops and Strous (101) argue that “security, integrity, real-time processing” are vital information systems elements that are enforced to ensure that an organization’s data is not compromised. Accurate, consistent, and reliable data are elements integrated in an organization’s approach to data integrity and availability to ensure system processes and contents are reliable.
Different organizations have different approaches to information systems security. They may be on a logical, physical or administrative level. According to Gertz, Guldentops and Strous (98) administrative controls and security policies include legal aspects and regulations by governments and organizational measures. On the other hand logical and physical controls heavily depend on an organization’s information system’s administrative policies.
Logical controls rely on software that provides controlled access to information in addition to the use of other devices such as firewalls to filter incoming and outgoing and data. Other measures include data encryption. Data encryption standards are well specified by an individual organization. Measures are constantly put in place to ensure logical security measures are not violated.
According to Gertz, Guldentops and Strous (98), physical controls envisage controlled access to computer rooms, lock and key, among others. A combination of these measures data integrity. These measures are enforced on applications, the host, and on an organization’s network. They are visualized as being implemented on different levels of an organization’s information systems.
Land O’Lakes International
One of Land O’Lakes International information security policies emphasized on systems users to log in with their ID’s and passwords as a stringent security requirement. Other security measures included controlled access to the server room in addition to maintaining rigid organizational information security policies.
An interview with Land O’Lakes International IT manager revealed that a cost-benefit analysis and an evaluation on the return on investment (ROI) on the IT infrastructure indicated that the current system was compatible with the security needs of the firm. These basic IT security measures and policies ensured that the company’s information system was secure from free from unauthorized access, data modification, information and data disclosure. In addition data integrity, availability, and privacy were maintained (Gertz, Guldentops, and Strous (27).
Research findings indicated that the company was subject to information security threats, including viruses and malwares. A further analysis of the company’s information systems security was adequate to address security requirements.
However, information is a key and sensitive asset to any organization.
Potential threats still existed on the security requirements of the organization’s management information systems. Therefore, the need for an advanced security system was vitally important.
Research findings further indicated incident records and their frequency to monitor security-related issues (session audits).
Delta
Delta IT’s approach to IS security and controls started on the administrative levels of the company. Information Systems security policies were implemented on the Network server and on database access with limited privileges. Access privileges on writing to files, reading files, and updating them on the same folder could not be accessed from a similar server.
A further security measure included firewall implementation to filter outgoing and incoming data to ensure authenticated data and users accessed the network. These included the use of p2p, wireless a/p, and wireless computers which could be accessed remotely.
The company’s approaches to system security included a logical and administrative approach. Legal requirements and information security policies were defined and implemented organization wise. This approach ensured data and application integrity. The company’s network was also protected from unauthorized access and this approach provided an in-depth defense for the company’s information system.
The information systems security manager was always on the edge in updating and implementing new information security and controls that emerged in the market enabling the organization address emerging trends on information systems security and controls.
The report established that the use of USB flash drives by organizational employees had the potential risk of exposing the system to viruses and malware software. In addition, the current IT security systems, policies, and controls were effective based on results from continuous tests and system audits.
The information systems manager affirmed that the organization evaluated system security effectiveness by continuously carrying out system audits by monitoring the server and wireless and network log in relation to security
Comparative Analysis
Land O’Lakes International and Delta
Land O’Lakes International security policies were implemented with special emphasis on user ID and password schemes as validation and verification measures in addition to rigidly enforcing physically implemented security policies On the other hand, Delta implemented information systems security policies on its network such as controlled access to reading, writing to files, and other transactions with associated policy privileges.
Land O’Lakes International emphasized on physical security policies while Delta’s approach to network security policies emphasized an e-approach, thus, data validation, verification, authentication and authorization mechanisms characterized the organization’s management information system.
While the information systems manager of Land O’Lakes International did not see a proactive need to keep the organization’s security updated on a continuous basis, Delta’s information systems manager kept the company on the edge in keeping with emerging trends in information security and controls (Lane 1). Thus, there was need for Land O’Lakes International to improve and update its management information systems in line with current information systems threats and potential risks.
Literature Analysis
Hawker (151) argues that information system should ensure data integrity and implementation on physical, logical, and administrative levels. Land O’Lakes International’s IT manager proactively implemented the organization’s security policies on a logical and administrative levels (Lane 1). However, Delta’s security policies were on a physical approach.
Land O’Lakes International’s were more prone to security threats and risks as no logical security implementation mechanisms were in place as opposed to Delta that ensures logical security controls were enforced (Peltier 11). Delta’s information security controls were on the administrative levels ensuring tighter information security audits and controls contrary to Land O’Lakes International’s security systems (Gallegos, Senft, Manson, Daniel and Gonzales, 124).
Gertz, Guldentops, and Strous (57) argue that organizations should continuously subject their information systems to regular security audits and critically evaluate such systems on their compatibility and compliance to organizational business goals and objectives. Both companies have not clearly outlined strategic plans, alternatives and contingency measures to meet the ever-changing trends in the software industry. On interest was Land O’Lakes International strategic plans and policy documents in implementing newer security measures and tools.
Both IT security managers need to review their policies and make them compatible with emerging trends with information systems security needs in a dynamic environment. These make management and systems users accountable for their actions.
A strong, reliable, and secure information system must provide complete security and in depth defense for an organization’s information system. Overall, security must be on administrative, logical, and physical levels. These measures ensure data and information security are maintained according to organizational policies and procedures.
Logical controls need to be implemented to ensure data and information integrity and authentication mechanisms are sound, while physical controls asset provide security and administrative controls assert an organization’s consistence and enforcement of information systems legal requirements and policy implementation.
These information systems security controls could ensure information integrity, classification, access control, identification, authentication, authorization, and in depth information system defense.
Further still, this approach could enable companies implement information systems security governance to ensure leaders and other systems users are accountable for their actions. Systems audits should be conducted on a continuous basis to ensure users are tracked and are aware that they are continuously monitored. Adequate resources should also be made available to policies are well enforced and no information security lapse or loopholes exist within an organization’s information systems setting.
References
- Gallegos, F., Senft, S., Manson, D P., & Gonzales, C 2004. Technology Control and Audit (2nd ed.). Auerbach Publications.
- Gertz, M., Guldentops, E., & Strous, L 2001. Integrity, Internal Control and Security in Information Systems: Connecting Governance and Technology Web.
- Hawker, A 2000. Security and Control in Information Systems: A Guide for Business and Accounting Web. Routledge.
- Peltier, T R 2002. Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management Web.